Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Adobe Patches Six Critical Flaws in ColdFusion

Adobe issued fixes for versions of its ColdFusion web development platform – including six critical flaws.

Adobe has released patches fixing six critical vulnerabilities in its ColdFusion product that could lead to arbitrary code-execution.

The flaws impact Adobe’s ColdFusion product, which is the company’s commercial web application development platform. Impacted are the 2016 (Update 6 and earlier versions) and the July 12 (2018) release of ColdFusion, as well as ColdFusion 11 (Update 14 and earlier versions).

Overall, Adobe said ColdFusion contained nine flaws, including four critical deserialization of untrusted data flaws that could lead to arbitrary code-execution (CVE-2018-15965, CVE-2018-15957, CVE-2018-15958 and CVE-2018-15959). Additional flaws included one critical unrestricted file upload bug that could also lead to arbitrary code-execution (CVE-2018-15961) and one critical vulnerability that could enable arbitrary file-overwrite (CVE-2018-15960).

Other vulnerabilities include an important-severity security bypass glitch that allows arbitrary folder creation (CVE-2018-15963), an important directory listing flaw that could enable information disclosure (CVE-2018-15962), and a moderate information-disclosure vulnerability (CVE-2018-15964).

Adobe said it is not aware of any exploits in the wild for any of the issues addressed in the updates. The company recommends users update installations to ColdFusion 2018 Update 1, ColdFusion 2016 Update 7, and ColdFusion 11 Update 15.

“Adobe also recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides,” the company said in an advisory published Tuesday.

In addition to ColdFusion, Adobe also released a security update for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. The update addresses an important-rated vulnerability in Adobe Flash Player Desktop Runtime, Flash Player for Google Chrome, and Flash Player for Microsoft Edge and Internet Explorer 11 – all for versions 30.0.0.154 and earlier.

The flaw (CVE-2018-15967) is a privilege-escalation vulnerability, the successful exploitation of which could lead to information disclosure. Adobe said that it is not aware of any exploits in the wild for the flaw; and users of impacted Adobe Flash Player versions should update to version 31.0.0.108.

This month’s 10 patches were on par with last month’s August Patch Tuesday for Adobe, where the company released 11 total fixes, including two critical patches for Acrobat and Reader. Exploitation of those vulnerabilities could lead to arbitrary code-execution in the context of the current user.

Last month, Adobe also issued two unscheduled updates – including for two critical flaws that could enable remote code-execution in Photoshop CC and a second unscheduled update to address a bug with a publicly available proof-of-concept code in the wild.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.